Bug 26171 - exiv2 new security issue CVE-2019-20421
Summary: exiv2 new security issue CVE-2019-20421
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-07 21:18 CET by David Walser
Modified: 2020-02-13 11:50 CET (History)
4 users (show)

See Also:
Source RPM: exiv2-0.27.1-3.2.mga7.src.rpm
CVE: CVE-2019-20421
Status comment:


Attachments

Description David Walser 2020-02-07 21:18:21 CET
Ubuntu has issued an advisory on February 5:
https://usn.ubuntu.com/4270-1/

Mageia 7 is also affected.
David Walser 2020-02-07 21:18:29 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2020-02-08 22:25:09 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

In Jp2Image::readMetadata() in jp2image.cpp in Exiv2 0.27.2, an input file can result in an infinite loop and hang, with high CPU consumption. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted file. (CVE-2019-20421)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20421
https://usn.ubuntu.com/4270-1/
========================

Updated packages in core/updates_testing:
========================
exiv2-0.27.1-3.3.mga7
lib(64)exiv2_27-0.27.1-3.3.mga7
lib(64)exiv2-devel-0.27.1-3.3.mga7
exiv2-doc-0.27.1-3.3.mga7

from SRPMS:
exiv2-0.27.1-3.3.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
CVE: (none) => CVE-2019-20421
Source RPM: exiv2-0.27.2-2.mga8.src.rpm => exiv2-0.27.1-3.2.mga7.src.rpm
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 2 Len Lawrence 2020-02-09 13:46:06 CET
Working on this.

CC: (none) => tarazed25

Comment 3 Len Lawrence 2020-02-09 14:25:55 CET
Mageia7, x86_64

CVE-2019-20421
https://github.com/Exiv2/exiv2/issues/1011
$ exiv2 Jp2Image_readMetadata_loop.poc
File name       : Jp2Image_readMetadata_loop.poc
File size       : 738 Bytes
MIME type       : image/pgf
Image size      : 1007160575 x 1781334193
Jp2Image_readMetadata_loop.poc: No Exif data found in the file

No infinite loop and a tidy exit which implies that the fix was already in place before the update but note that the upstream note says the fault -can- lead to an infinite loop.  This system is starting at exiv2-0.27.1-3.2.mga7.

Updated the four packages.

$ exiv2 Jp2Image_readMetadata_loop.poc
Exiv2 exception in print action for file Jp2Image_readMetadata_loop.poc:
corrupted image metadata

This differs from the earlier test but seems to confirm the fix.

The library is used by various image viewers, nautilus, mythtv, okular, gimp, astronomy packages, gnome-shell, digikam, darktable ....

$ strace -o dark.trace darktable
$ grep exiv2 dark.trace
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib64/libexiv2.so.0.27.1", O_RDONLY) = 3

$ exiv2 JessicaAlba.tif
File name       : JessicaAlba.tif
File size       : 3229613 Bytes
MIME type       : image/tiff
Image size      : 1200 x 896
....
$ exiv2 -c "QA testing" TatianaMaslany.jpg
$ strings TatianaMaslany.jpg | grep QA
QA testing
QA)E
....
$ exiv2 -pc TatianaMaslany.jpg
QA testing

gthumb displays Exif information for selected images.

$ strace -o thumb.trace gthumb .
$ grep exiv2 thumb.trace
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/exiv2_tools.extension", O_RDONLY) = 25
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2_tools.so", O_RDONLY|O_CLOEXEC) = 24
openat(AT_FDCWD, "/usr/lib64/gthumb/extensions/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib64/libexiv2.so.27", O_RDONLY|O_CLOEXEC) = 24
stat("/usr/lib64/gthumb/extensions/libexiv2_tools.so", {st_mode=S_IFREG|0755, st_size=148064, ...}) = 0

This looks fine for 64-bits.

Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-02-09 22:52:42 CET
Thank you, Len. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2020-02-13 11:07:29 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 5 Mageia Robot 2020-02-13 11:50:21 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0084.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.